CVE-2026-33057

Name of the Vulnerable Software and Affected Versions Mesop versions 1.2.2 and below

Description Mesop, a Python-based UI framework, contains a flaw where an explicit web endpoint within the ai/ testing module infrastructure directly accepts untrusted Python code strings without authentication. This results in unrestricted remote code execution. The issue resides in the /exec-py route of a lightweight Flask server located in ai/sandbox/wsgi app.py. This route accepts base-64 encoded payloads in the code parameter, which are then evaluated and executed on the system. The payload is saved to the operating system and executed using the execute module() function. Successful exploitation grants attackers host-machine command rights.

Recommendations Update to version 1.2.3 or later.